exclusive research report - keeper
TRANSCRIPT
© 2021 Keeper Security, Inc. | keeper.io/malpracticereport
Sponsored by Keeper Security
Exclusive Research Report
WORKPLACE PASSWORD MALPRACTICE REPORT
Introduction
Poor password hygiene in the workplace was a threat to organizational cybersecurity even before the COVID-19 pandemic. When COVID-19 forced organizations worldwide to rapidly deploy and secure remote workforces, teams began connecting to organizational resources remotely, in environments that their employers did not control, many times using their own devices.
Respondents to the Ponemon Institute’s Cybersecurity in the Remote Work Era: A Global Risk Report, commissioned by Keeper Security in 2020, expressed grave concerns over password security in their organizations:
• 60% of respondents said their organizations experienced a cyberattack in the past 12 months.
• Over 50% of these attacks involved stolen credentials.
• The theft of IT assets caused $5 million or more in damages for 25% of businesses.
The pandemic pushed organizations to rapidly deploy a host of new technologies to keep remote employees connected, collaborating, and working. From Zoom to Google Workspace to Slack, employees had to sign up for yet more online accounts — and keep track of yet more passwords.
Keeper wondered how much password security had changed since companies moved to remote work environments. Were remote employees following simple best practices to secure their passwords, or were they falling prey to “password fatigue” and engaging in bad habits that lead to significant cybersecurity risks? Which is why Keeper, in partnership with Pollfish, conducted the Workplace Password Malpractice Survey.
While Ponemon surveyed organizational leaders, we decided to go straight to employees for this survey, and we queried 1,000 full-time workers in the United States about their password habits. The survey was completed in February 2021, and consisted of only individuals who used passwords to log into work-related online accounts.
Following are the most important findings from the survey. The full data can also be viewed on page 5.
Finding 1: U.S. employees are tracking & storing their login credentials insecurely
Our survey found that U.S. employees are not following best practices when storing and tracking their work-related passwords, presenting major cybersecurity risks for their employers.
• Over half of respondents (57%) admit to writing down work-related online passwords on “sticky notes”, and two-thirds (67%) admit to having lost these notes. In addition to leaving sensitive corporate information in full view of anyone else living in or visiting their home, this harms organizational efficiency. Lost sticky notes mean lost passwords, which result in help desk tickets to reset said passwords.
• 62% of respondents store login credentials in a notebook or journal, and the overwhelming majority (82%) say that they keep these notebooks next to or close to their work devices, where they can be accessed by anyone else who lives in or is visiting their home.
Using a pen and paper to keep track of passwords has become even more problematic in the remote work world. Most workers (66%) say that they’re more likely to write down work-related passwords when working from home than they are while working in the office.
2© 2021 Keeper Security, Inc.
WORKPLACE PASSWORD MALPRACTICE REPORT
Even when using digital methods to track and store their passwords, U.S. employees are engaging in poor password security practices.
• Nearly half of respondents (49%) save work-related passwords in a document in the cloud.
• Just over half (51%) say that they currently save these passwords in a document saved on their computer.
• 55% save work-related passwords on their phone.
Storing passwords in unencrypted files is extremely risky. All a cybercriminal needs to do is breach the cloud storage, computer, or mobile device, and they can access all of the employee’s passwords.
Finding 2: U.S. employees are creating weak, easily guessed passwords
A strong password consists of a random string of uppercase and lowercase letters, numerals, and special characters. However, many respondents admitted to using passwords that contain personal details, which cybercriminals can easily find on social media channels.
• Over one-third (37%) of respondents have used their employer’s name in a work-related password.
• Over one-third (34%) have used their significant other’s name or birthday.
• Nearly one-third (31%) have used their child’s name or birthday.
Password re-usage between personal and work-related accounts has become a big cybersecurity risk for companies, with 44% of respondents admitting to reusing passwords across personal and work-related accounts and 53% admitting to keeping password-protected personal accounts on their work devices.
Finding 3: U.S. employees are sharing work-related passwords with unauthorized parties
Many U.S. employees are not exercising care regarding whom they share their work-related passwords with. This puts organizations at risk of being breached should these passwords wind up in the hands of someone who is careless or who has malicious intentions.
• Over the past year, 14% of respondents have shared their work-related passwords with their significant other or spouse.
• 11% of respondents have shared work-related passwords with another family member.
Even absent a data breach, an employer could be found out of compliance, and assessed very large penalties, if it is discovered that unauthorized parties have viewed compliance-protected data.
3© 2021 Keeper Security, Inc.
WORKPLACE PASSWORD MALPRACTICE REPORT
Finding 4: U.S. employers are not doing their part to ensure that passwords are being shared securely and/or only with authorized parties
Our survey found that shared passwords in the workplace are common.
• Nearly half of respondents (46%) report that their company shares passwords for accounts that are used by multiple people.
• Over one-third (34%) have shared work-related passwords with colleagues on the same team.
• Nearly one-third (32%) have shared work-related passwords with their managers.
• 19% have shared their passwords with their executive team.
The best thing to do is to give every user a unique password for every work-related account or application, which can be practically done by utilizing the use of an Enterprise Password Management (EPM) platform. Password-sharing in the workplace is safe if the passwords are shared securely, and if passwords are shared only with unauthorized parties. Our survey results indicate that many U.S. employers are not exercising risk mitigation strategies to help ensure safe password-sharing.
• The majority of respondents (62%) report sharing a work-related password over text message or email, which could be intercepted by cybercriminals in transit.
• Nearly one-third of respondents (32%) admit to accessing an online account belonging to a previous employer, which indicates that many employers are not disabling accounts when employees leave the company.
Conclusion
Adopting and implementing an enterprise password management platform such as Keeper Enterprise would cure the password malpractice uncovered in this survey. Keeper’s zero-knowledge password encryption and zero-trust framework provides advanced password management, secure sharing, and other security capabilities. IT administrators and leaders gain complete visibility and control into employee password practices, including:
• Exclusive, proprietary zero-knowledge security model and zero-trust framework system; all data in transit and at rest is encrypted; it cannot be viewed by Keeper Security employees or any outside party.
• Rapid deployment on all devices, with no upfront equipment or installation costs.
• Personalized onboarding and 24/7 support and training from a dedicated support specialist.
• Support for RBAC, 2FA, auditing, event reporting, and multiple compliance standards, including HIPAA, DPA, FINRA, and GDPR.
• Provision secure shared folders, subfolders, and passwords for teams.
• Single Singn-On (SAML 2.0) authentication
• Enable offline vault access when SSO is not available.
• Dynamically provision vaults through SCIM.
• Configure for High Availability (HA).
• Advanced two-factor/multi-factor authentication
• Active Directory and LDP sync
• SCIM and Azure AD provisioning
• Developer APIs for password rotation and backend integration4© 2021 Keeper Security, Inc.
WORKPLACE PASSWORD MALPRACTICE REPORT
Audience DemographicsSample Size 1000
Career
Advertising
Agriculture, Forestry, Fishing & Hunting
Arts, Entertainment, or Recreation
Automotive
Broadcasting
Construction
Consulting
Education
Energy, Utilities, Oil & Gas
Fashion/Apparel
Finance & Insurance
Government & Public Admin
Health Care & Social Assistance
Homemaker
Hotel & Food Services
Human Resources
Information - Other
Information - Services & Data
Legal Services
Manufacturing - Computer & Electronics
Manufacturing - Other
Market Research
Marketing/Sales
Military
Personal Services
Processing
Publishing
Real Estate, Rental, or Leasing
Religious
Retail
Scientific or Technical Services
Security
Shipping/Distribution
Software
Telecommunications
Transportation & Warehousing
Wholesale
Other
0 50 100 150
5
5
15
16
12
21
7
7
7
4
38
9
8
140
2
1
119
3
13
13
13
2
2
2
34
35
34
48
30
80
29
10
14
88
24
24
85
10© 2021 Keeper Security, Inc.
WORKPLACE PASSWORD MALPRACTICE REPORT
12
436500
400
300
200
100
0
132
75
345
Middle School High School Vocational/ Technical College
University Post-graduate
Education
228
52
250
200
150
100
50
0
122
154
164
123 118
< $25K $25K - $49,999K
$50K - $74,999
$75K - $99,999
$100K - $124,999
$125K - $149,999
>$150K Prefer not to say
Income
Ethnicity
3
800
1000
600
400
200
80
60
40
20
0
34
5442
21
793
16 8
29
Arab Asian Black Hispanic Latino White Multiracial Other Prefer not to say
11© 2021 Keeper Security, Inc.
WORKPLACE PASSWORD MALPRACTICE REPORT
1000
1250
1000
750
500
250
0 Employed for wages
Self- Employed
Out of work & looking
Out of work & not looking
Homemaker Student Military Retired Unableto work
Other
Employment Status
200
150
100
50
08 5
232635
50 53
89101
86
190
163 171
1 2-5 6-10 11-25 26-50 51- 100
101- 250
251- 500
501-1000
1001-5000
>5000 IDK prefer not to say
Number of Employees
12© 2021 Keeper Security, Inc.
WORKPLACE PASSWORD MALPRACTICE REPORT
Organization Role
Owner or Partner
President/CEO/Chairperson
C-Level Executive
Middle Management
Chief Financial Officer
Chief Technical Officer
Senior Management
Director
HR Manager
Product Manager
Supply Manager
Project Management
Business Administrator
Supervisor
Administrative/Clerical
Craftsman
Foreman
Technical Staff
Sales Staff
Buyer/Purchasing Agent
Other non-management Staff
Prefer not to say
0 50 100 150 200
7
8
8
6
167
39
68
34
30
140
14
65
31
16
87
43
53
42
12
88
35
6
13© 2021 Keeper Security, Inc.
WORKPLACE PASSWORD MALPRACTICE REPORT
Spoken Languages
English
Spanish
Portuguese
Arabic
Azerbaijani
Bengali
Bulgarian
Chinese Simplified
Chinese Traditional
Czech
Danish
Dutch
Egyptian
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Hebrew
Hindi
Hungarian
Indonesian
Italian
Japanese
Korean
Lithuanian
Norwegian
Pashto
Persian
Polish
Punjabi
Romanian
Russian
Serbian
Slovak
Swedish
0 250 500 750 1000 1250
Thai
Turkish
Ukrainian
Uzbek
1000
33
13
13
10
10
11
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
6
7
7
7
7
7
7
8
8
8
8
8
8
8
12
12
14© 2021 Keeper Security, Inc.
WORKPLACE PASSWORD MALPRACTICE REPORT
Publisher’s Choice Cybersecurity Password Management
Cutting Edge Chief Executive of the Year
Editors’ Choice 2018 & 2019
Best Product in Password Management
Best Product for SMB Cybersecurity
Publisher’s Choice for Chief Executive of the Year
Most Innovative CTO of the Year
Editors’ Choice 4.5 out of 5 stars
2020 Enterprise Leader 4.7 out of 5 stars
Spiceworks 5 out of 5 stars
Gartner Peer Insights 4.9 out of 5 stars
Best Password Manager of the Year & Editors’ Choice 2019 & 2020
Ratings & Awards
Keeper has been named PC Magazine’s Best Password Manager of the Year & Editors’ Choice, PCWorld’s Editors’ Choice for two consecutive years and is the winner of four G2 awards for Best Software and four InfoSec Award for Best Product in Password Management for SMB and Best Product for SMB Cybersecurity. Keeper is SOC-2 and ISO 27001 Certified and is listed for use by the U.S. federal government through the System for Award Management (SAM).
15© 2021 Keeper Security, Inc.
WORKPLACE PASSWORD MALPRACTICE REPORT
To download a copy of the Workplace Password Malpractice Report, infographic and more, visit our dedicated resources hub. For more information on Keeper Security, or how to defend your organization from password-related data breaches, go to keepersecurity.com.
Methodology
Keeper Security contracted with Pollfish to conduct this survey of 1,000 full time employees in the United States. Only individuals who use passwords to log into work-related online accounts were included. The survey was completed in February 2021.
About Keeper Security, Inc.
Keeper Security, Inc. (Keeper) is the highly-rated and patented cybersecurity platform for preventing password-related data breaches and cyberthreats. Keeper’s zero-knowledge security and encryption software is trusted by millions of people and thousands of businesses across the globe to mitigate the risk of cybertheft, boost employee productivity and meet compliance standards. In 2020, Keeper was named PCMag’s Best Password Manager of the Year & Editors’ Choice for the third time. Keeper has also been named PCWorld’s Editors’ Choice and is the winner of four G2 Best Software Awards and the InfoSec Award for Best Product in Password Management for SMB Cybersecurity. Keeper is SOC-2 and ISO 27001 Certified and is also listed for use by the U.S. federal government through the System for Award Management (SAM).
keepersecurity.com © 2021 Keeper Security, Inc.